auth0-lock 11.32.2 → 11.33.2

package/.circleci/config.yml

@@ -4,7 +4,7 @@ orbs:
 executors:
   docker-executor:
     docker:
-      - image: circleci/node:14.15
+      - image: cimg/node:14.19-browsers
 jobs:
   build-and-test:
     executor: docker-executor
@@ -14,7 +14,7 @@ jobs:
       - checkout
       - run:
           name: Update Yarn
-          command: 'sudo npm update -g yarn'
+          command: 'npm update -g yarn'
       - restore_cache:
           name: Restore Yarn Package Cache
           key: yarn-packages-{{ checksum "yarn.lock" }}
@@ -49,7 +49,7 @@ jobs:
       - checkout
       - run:
           name: Update Yarn
-          command: 'sudo npm update -g yarn'
+          command: 'npm update -g yarn'
       - restore_cache:
           name: Restore Yarn Package Cache
           key: yarn-packages-{{ checksum "yarn.lock" }}

package/.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: "npm" 
+    directory: "/" 
+    schedule:
+      interval: "daily"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]

package/.github/workflows/semgrep.yml

@@ -0,0 +1,25 @@
+name: Semgrep
+
+on:
+  pull_request: {}
+
+  push:
+    branches: ["master", "main"]
+
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v3
+
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

package/CHANGELOG.md

@@ -1,25 +1,72 @@
 # Change Log
 
+## [v11.33.2](https://github.com/auth0/lock/tree/v11.33.2) (2022-06-29)
+[Full Changelog](https://github.com/auth0/lock/compare/v11.33.1...v11.33.2)
+
+**Changed**
+- Bump qs from 6.10.5 to 6.11.0 [\#2147](https://github.com/auth0/lock/pull/2147) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump shell-quote from 1.7.2 to 1.7.3 [\#2145](https://github.com/auth0/lock/pull/2145) ([dependabot[bot]](https://github.com/apps/dependabot))
+- Bump prettier from 2.7.0 to 2.7.1 [\#2144](https://github.com/auth0/lock/pull/2144) ([dependabot[bot]](https://github.com/apps/dependabot))
+
+## [v11.33.1](https://github.com/auth0/lock/tree/v11.33.1) (2022-06-14)
+[Full Changelog](https://github.com/auth0/lock/compare/v11.33.0...v11.33.1)
+
+**Fixed**
+- Move captcha pane below additional signup fields in UI [\#2135](https://github.com/auth0/lock/pull/2135) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Security**
+- [Snyk] Upgrade dompurify from 2.3.6 to 2.3.7 [\#2132](https://github.com/auth0/lock/pull/2132) ([snyk-bot](https://github.com/snyk-bot))
+
+## [v11.33.0](https://github.com/auth0/lock/tree/v11.33.0) (2022-05-05)
+
+[Full Changelog](https://github.com/auth0/lock/compare/v11.32.2...v11.33.0)
+
+**Important**
+
+This release contains a change to how [custom signup fields](https://github.com/auth0/lock/#additional-sign-up-fields) are processed. From this release, all HTML tags are stripped from user input into any custom signup field before being sent to Auth0 to register the user. This is a security measure to help mitigate from potential XSS attacks in signup verification emails.
+
+If you would be affected by this change and require HTML to be specified in a custom signup field, please leave us some feedback in our [issue tracker](https://github.com/auth0/lock/issues).
+
+**Changed**
+
+- ui box - div replaced by main [\#2114](https://github.com/auth0/lock/pull/2114) ([piwysocki](https://github.com/piwysocki))
+- More complete support for custom passwordless connections [\#2105](https://github.com/auth0/lock/pull/2105) ([peter-isgfunds](https://github.com/peter-isgfunds))
+
+**Fixed**
+
+- fix: initialize reset password inside componentDidMount [\#2111](https://github.com/auth0/lock/pull/2111) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Security**
+
+- [Snyk] Upgrade dompurify from 2.3.4 to 2.3.5 [\#2101](https://github.com/auth0/lock/pull/2101) ([snyk-bot](https://github.com/snyk-bot))
+
 ## [v11.32.2](https://github.com/auth0/lock/tree/v11.32.2) (2022-02-08)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v11.32.1...v11.32.2)
 
 **Changed**
+
 - align german loginWithLabel translation with Apple Guidelines [\#2097](https://github.com/auth0/lock/pull/2097) ([Steffen911](https://github.com/Steffen911))
 
 **Fixed**
+
 - [SDK-3087] Captcha for single enterprise AD connections [\#2096](https://github.com/auth0/lock/pull/2096) ([stevehobbsdev](https://github.com/stevehobbsdev))
 
 **Security**
+
 - [Snyk] Upgrade qs from 6.10.2 to 6.10.3 [\#2095](https://github.com/auth0/lock/pull/2095) ([snyk-bot](https://github.com/snyk-bot))
 - Bump cached-path-relative from 1.0.2 to 1.1.0 [\#2091](https://github.com/auth0/lock/pull/2091) ([dependabot[bot]](https://github.com/apps/dependabot))
 
 ## [v11.32.1](https://github.com/auth0/lock/tree/v11.32.1) (2022-01-27)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v11.32.0...v11.32.1)
 
 **Changed**
+
 - Update auth0-js and support legacySameSiteCookie option [\#2089](https://github.com/auth0/lock/pull/2089) ([stevehobbsdev](https://github.com/stevehobbsdev))
 
 **Security**
+
 - Bump log4js from 6.3.0 to 6.4.0 [\#2087](https://github.com/auth0/lock/pull/2087) ([dependabot[bot]](https://github.com/apps/dependabot))
 - Security upgrade node-fetch to 2.6.7 [\#2085](https://github.com/auth0/lock/pull/2085) ([evansims](https://github.com/evansims))
 - [Snyk] Upgrade prop-types from 15.7.2 to 15.8.0 [\#2083](https://github.com/auth0/lock/pull/2083) ([snyk-bot](https://github.com/snyk-bot))
@@ -27,9 +74,11 @@
 - Bump follow-redirects from 1.14.4 to 1.14.7 [\#2081](https://github.com/auth0/lock/pull/2081) ([dependabot[bot]](https://github.com/apps/dependabot))
 
 ## [v11.32.0](https://github.com/auth0/lock/tree/v11.32.0) (2022-01-07)
+
 [Full Changelog](https://github.com/auth0/lock/compare/v11.31.1...v11.32.0)
 
 **Fixed**
+
 - [SDK-2970] Remove captcha for enterprise SSO connections [\#2071](https://github.com/auth0/lock/pull/2071) ([stevehobbsdev](https://github.com/stevehobbsdev))
 - Add ID attributes to password field + submit button [\#2072](https://github.com/auth0/lock/pull/2072) ([stevehobbsdev](https://github.com/stevehobbsdev))
 

package/README.md

@@ -25,7 +25,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/11.32.2/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/11.33.2/lock.min.js"></script>
 ```
 
 From [npm](https://npmjs.org)
@@ -490,6 +490,8 @@ Extra input fields can be added to the sign up screen with the `additionalSignUp
 
 Additional sign up fields are rendered below the default fields in the order they are provided.
 
+:warning: **Note**: From `11.33.2` onwards, all HTML tags are stripped from user input into custom signup fields.
+
 ##### Text field
 
 A `validator` function can also be provided.

package/lib/__tests__/connection/database/actions.js

@@ -158,4 +158,73 @@ describe('database/actions.js', function () {
     expect(signUpMock.calls.length).toBe(1);
     expect(signUpMock.calls[0][0]).toBe(id);
   });
+
+  it('sanitizes additionalSignUp fields using dompurify', function () {
+    var id = 1;
+    var hookRunner = jest.fn(function (str, m, context, fn) {
+      return fn();
+    });
+
+    require('connection/database/index').databaseConnectionName = function () {
+      return 'test-connection';
+    };
+    require('connection/database/index').shouldAutoLogin = function () {
+      return true;
+    };
+
+    // Test different fields using some examples from DOMPurify
+    // https://github.com/cure53/DOMPurify#some-purification-samples-please
+    var m = _immutable2.default.fromJS({
+      field: {
+        email: {
+          value: 'test@email.com'
+        },
+        password: {
+          value: 'testpass'
+        },
+        family_name: {
+          value: 'Test <a href="https://www.google.co.uk">Fake link</a>' // HTML but not malicious
+        },
+        given_name: {
+          value: '<img src=x onerror=alert(1)//>'
+        },
+        name: {
+          value: '<p>abc<iframe//src=jAva&Tab;script:alert(3)>def</p>'
+        },
+        other_name: {
+          value: '<div onclick=alert(0)><form onsubmit=alert(1)><input onfocus=alert(2) name=parentNode>123</form></div>'
+        }
+      },
+      database: {
+        additionalSignUpFields: [{ name: 'family_name', storage: 'root' }, { name: 'given_name', storage: 'root' }, { name: 'name', storage: 'root' }, { name: 'other_name' }]
+      },
+      core: {
+        hookRunner: hookRunner
+      }
+    });
+
+    (0, _store.swap)(_store.setEntity, 'lock', id, m);
+    (0, _actions.signUp)(id);
+
+    var _coreActionsMock3 = coreActionsMock(),
+        validateAndSubmitMock = _coreActionsMock3.validateAndSubmit.mock;
+
+    validateAndSubmitMock.calls[0][2](m);
+
+    var _webApiMock3 = webApiMock(),
+        signUpMock = _webApiMock3.signUp.mock;
+
+    expect(signUpMock.calls[0][1]).toMatchObject({
+      connection: 'test-connection',
+      email: 'test@email.com',
+      password: 'testpass',
+      autoLogin: true,
+      family_name: 'Test Fake link',
+      given_name: '',
+      name: 'abc',
+      user_metadata: {
+        other_name: '123'
+      }
+    });
+  });
 });

package/lib/connection/database/actions.js

@@ -13,10 +13,6 @@ exports.cancelMFALogin = cancelMFALogin;
 exports.toggleTermsAcceptance = toggleTermsAcceptance;
 exports.showLoginMFAActivity = showLoginMFAActivity;
 
-var _immutable = require('immutable');
-
-var _immutable2 = _interopRequireDefault(_immutable);
-
 var _index = require('../../store/index');
 
 var _web_api = require('../../core/web_api');
@@ -33,6 +29,8 @@ var _index3 = require('../../field/index');
 
 var c = _interopRequireWildcard(_index3);
 
+var _dompurify = require('dompurify');
+
 var _index4 = require('./index');
 
 var _i18n = require('../../i18n');
@@ -136,7 +134,8 @@ function signUp(id) {
       (0, _index4.additionalSignUpFields)(m).forEach(function (x) {
         var storage = x.get('storage');
         var fieldName = x.get('name');
-        var fieldValue = c.getFieldValue(m, x.get('name'));
+        var fieldValue = (0, _dompurify.sanitize)(c.getFieldValue(m, x.get('name')), { ALLOWED_TAGS: [] });
+
         switch (storage) {
           case 'root':
             params[fieldName] = fieldValue;

package/lib/connection/database/reset_password.js

@@ -48,35 +48,53 @@ function _possibleConstructorReturn(self, call) { if (!self) { throw new Referen
 
 function _inherits(subClass, superClass) { if (typeof superClass !== "function" && superClass !== null) { throw new TypeError("Super expression must either be null or a function, not " + typeof superClass); } subClass.prototype = Object.create(superClass && superClass.prototype, { constructor: { value: subClass, enumerable: false, writable: true, configurable: true } }); if (superClass) Object.setPrototypeOf ? Object.setPrototypeOf(subClass, superClass) : subClass.__proto__ = superClass; }
 
-var Component = function Component(_ref) {
-  var i18n = _ref.i18n,
-      model = _ref.model;
-
-  var headerText = i18n.html('forgotPasswordInstructions') || null;
-  var header = headerText && _react2.default.createElement(
-    'p',
-    null,
-    headerText
-  );
-  var connectionResolver = l.connectionResolver(model);
-
-  // When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email').
-  // If the user has entered an email address as the username, and a custom resolver is being used, copy the
-  // value from the 'username' field to the 'email' field so that `EmailPane` can render it.
-  if (connectionResolver) {
-    var field = (0, _field.getField)(model, 'username');
-    var value = field.get('value', '');
-
-    (0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false);
+var Component = function (_React$Component) {
+  _inherits(Component, _React$Component);
+
+  function Component() {
+    _classCallCheck(this, Component);
+
+    return _possibleConstructorReturn(this, _React$Component.apply(this, arguments));
   }
 
-  return _react2.default.createElement(_reset_password_pane2.default, {
-    emailInputPlaceholder: i18n.str('emailInputPlaceholder'),
-    header: header,
-    i18n: i18n,
-    lock: model
-  });
-};
+  Component.prototype.componentDidMount = function componentDidMount() {
+    var model = this.props.model;
+
+    var connectionResolver = l.connectionResolver(model);
+
+    // When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email').
+    // If the user has entered an email address as the username, and a custom resolver is being used, copy the
+    // value from the 'username' field to the 'email' field so that `EmailPane` can render it.
+    if (connectionResolver) {
+      var field = (0, _field.getField)(model, 'username');
+      var value = field.get('value', '');
+
+      (0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false);
+    }
+  };
+
+  Component.prototype.render = function render() {
+    var _props = this.props,
+        i18n = _props.i18n,
+        model = _props.model;
+
+    var headerText = i18n.html('forgotPasswordInstructions') || null;
+    var header = headerText && _react2.default.createElement(
+      'p',
+      null,
+      headerText
+    );
+
+    return _react2.default.createElement(_reset_password_pane2.default, {
+      emailInputPlaceholder: i18n.str('emailInputPlaceholder'),
+      header: header,
+      i18n: i18n,
+      lock: model
+    });
+  };
+
+  return Component;
+}(_react2.default.Component);
 
 var ResetPassword = function (_Screen) {
   _inherits(ResetPassword, _Screen);

package/lib/connection/passwordless/actions.js

@@ -86,12 +86,15 @@ function resendEmailError(id, error) {
   (0, _index.swap)(_index.updateEntity, 'lock', id, _index4.setResendFailed);
 }
 
-function sendEmail(m, successFn, errorFn) {
-  var connections = l.connections(m, 'passwordless', 'email');
-  var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'email';
+function getPasswordlessConnectionName(m, defaultPasswordlessConnection) {
+  var connections = l.connections(m, 'passwordless', defaultPasswordlessConnection);
+
+  return connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : defaultPasswordlessConnection;
+}
 
+function sendEmail(m, successFn, errorFn) {
   var params = {
-    connection: connectionName,
+    connection: getPasswordlessConnectionName(m, 'email'),
     email: c.getFieldValue(m, 'email'),
     send: (0, _index4.send)(m)
   };
@@ -113,11 +116,8 @@ function sendEmail(m, successFn, errorFn) {
 
 function sendSMS(id) {
   (0, _actions.validateAndSubmit)(id, ['phoneNumber'], function (m) {
-    var connections = l.connections(m, 'passwordless', 'sms');
-    var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'sms';
-
     var params = {
-      connection: connectionName,
+      connection: getPasswordlessConnectionName(m, 'sms'),
       phoneNumber: (0, _phone_number.phoneNumberWithDiallingCode)(m),
       send: (0, _index4.send)(m)
     };
@@ -155,10 +155,10 @@ function logIn(id) {
     verificationCode: c.getFieldValue(m, 'vcode')
   }, authParams);
   if ((0, _index4.isEmail)(m)) {
-    params.connection = 'email';
+    params.connection = getPasswordlessConnectionName(m, 'email');
     params.email = c.getFieldValue(m, 'email');
   } else {
-    params.connection = 'sms';
+    params.connection = getPasswordlessConnectionName(m, 'sms');
     params.phoneNumber = (0, _phone_number.phoneNumberWithDiallingCode)(m);
   }
   (0, _index.swap)(_index.updateEntity, 'lock', id, l.setSubmitting, true);

package/lib/core/web_api/helper.js

@@ -176,5 +176,5 @@ function trimAuthParams() {
 }
 
 function getVersion() {
-  return '11.32.2';
+  return '11.33.2';
 }

package/lib/engine/classic/sign_up_pane.js

@@ -125,8 +125,8 @@ var SignUpPane = function (_React$Component) {
       }),
       usernamePane,
       passwordPane,
-      captchaPane,
-      fields
+      fields,
+      captchaPane
     );
   };
 

package/lib/i18n.js

@@ -125,7 +125,7 @@ function assertLanguage(m, language, base) {
 function syncLang(m, language, _cb) {
   (0, _cdn_utils.load)({
     method: 'registerLanguageDictionary',
-    url: l.languageBaseUrl(m) + '/js/lock/' + '11.32.2' + '/' + language + '.js',
+    url: l.languageBaseUrl(m) + '/js/lock/' + '11.33.2' + '/' + language + '.js',
     check: function check(str) {
       return str && str === language;
     },

package/lib/lock.js

@@ -42,7 +42,7 @@ var Auth0Lock = function (_Core) {
 
 
 exports.default = Auth0Lock;
-Auth0Lock.version = '11.32.2';
+Auth0Lock.version = '11.33.2';
 
 // TODO: should we have different telemetry for classic/passwordless?
 // TODO: should we set telemetry info before each request?

package/lib/passwordless.js

@@ -41,4 +41,4 @@ var Auth0LockPasswordless = function (_Core) {
 exports.default = Auth0LockPasswordless;
 
 
-Auth0LockPasswordless.version = '11.32.2';
+Auth0LockPasswordless.version = '11.33.2';

package/lib/ui/box.js

@@ -32,7 +32,7 @@ var ContainerManager = function () {
     var container = window.document.getElementById(id);
 
     if (!container && shouldAppend) {
-      container = window.document.createElement('div');
+      container = window.document.createElement('main');
       container.id = id;
       container.className = 'auth0-lock-container';
       window.document.body.appendChild(container);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-lock",
-  "version": "11.32.2",
+  "version": "11.33.2",
   "description": "Auth0 Lock",
   "author": "Auth0 <support@auth0.com> (http://auth0.com)",
   "license": "MIT",
@@ -56,7 +56,7 @@
     "bump-version": "^0.5.0",
     "chalk": "^4.1.2",
     "cross-env": "^7.0.3",
-    "css-loader": "^0.26.1",
+    "css-loader": "^0.28.11",
     "emojic": "^1.1.15",
     "enzyme": "^3.1.0",
     "enzyme-adapter-react-15": "^1.0.1",
@@ -72,7 +72,7 @@
     "grunt-babel": "^6.0.0",
     "grunt-cli": "^0.1.13",
     "grunt-concurrent": "^2.3.1",
-    "grunt-contrib-clean": "^0.6.0",
+    "grunt-contrib-clean": "^0.7.0",
     "grunt-env": "^0.4.4",
     "grunt-exec": "^0.4.6",
     "grunt-webpack": "^2.0.1",
@@ -93,9 +93,9 @@
     "puppeteer": "^10.1.0",
     "react-test-renderer": "^15.6.2",
     "sinon": "^1.15.4",
-    "stylus": "^0.54.5",
+    "stylus": "^0.58.1",
     "stylus-loader": "^2.3.1",
-    "tmp": "^0.1.0",
+    "tmp": "^0.2.1",
     "uglify-js": "^2.7.4",
     "unminified-webpack-plugin": "^1.1.1",
     "unreleased": "^0.1.0",
@@ -109,7 +109,7 @@
     "auth0-password-policies": "^1.0.2",
     "blueimp-md5": "^2.19.0",
     "classnames": "^2.3.1",
-    "dompurify": "^2.3.4",
+    "dompurify": "^2.3.7",
     "immutable": "^3.7.3",
     "jsonp": "^0.2.1",
     "node-fetch": "^2.6.7",